[JSC] Add ArrayJoin DFG nodes
26b192b
JSC's DFG is the mid-tier JIT compiler; operations are nodes in a graph. Adding ArrayJoin as a node means the compiler emits native code for Array#join instead of dispatching to a generic C++ runtime. ArrayMode encodes observed storage types (Int32, Double, Contiguous, Generic). The critical correctness invariant is that a separator object's toString() side effect must run exactly once per join() call, even when an array mutation inside toString() triggers an OSR exit — because the bytecode slow path will call toString() again if the JIT already ran it.
The commit's regression tests encode this directly: object separators whose toString() mutates the array (length shrink, indexing-type swap) must produce identical output across all tiers, with calls === testLoopCount.
Significance
New JIT intrinsics with side-effect-sensitive invariants across OSR exit boundaries are historically one of the richest categories of JIT vulnerability.
Audit directions
Aaa Aaaa a Aaaaaaaa Aaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaaaa Aa Aaaaaaa Aa Aaa Aaa Aaaaa Aaaaaaaaaaaaaaa Aaaaaa Aaa Aaaaa Aaaa Aaa Aaaa Aaaaaaaaa Aaaaaaa Aaaaaaa Aaaa Aa Aaaaa Aaaaaaaa Aaaaaa Aa Aaaaaaaaaaa Aaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaaaaa Aaaa Aaa Aaaa Aaaa Aaaa Aaaaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaaaaaa Aaaaa Aaa Aa Aaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaa Aaaa Aaaa Aaaaa Aaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaa a Aaaaa Aaaaaa Aaaa Aaaaaaaaaaa Aaaaaaaaa Aaa Aaaaaaa Aaaaaaaa Aa Aaaaaaaaaaa Aaaaaa Aaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaa Aa Aaaaaa Aaaaaaaaaaaa Aa Aa Aaaaaaaaaaa Aaaaa a Aaaaaaaa Aaaaaaaaa Aaaa a Aaaaaa Aa Aaa Aaaaaaaaaaa Aaaaaaaaaa Aaa Aaaa Aaaaaaaaaa Aaaaaaaa Aaaa Aaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaa Aa Aaaaa Aaaa Aaaa Aaaaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaaa a Aaaaaa Aaa Aaaaaaaaaaa Aaaaa Aaaaaaaa Aaa Aaaaa Aaaaaaa Aaaaaaa
🔒New JIT-generated code for a side-effect-sensitive operation across tier boundaries — multiple edge cases in the fast paths are worth security investigation.
Subscribe to read more